Re: How to check Health Information of SMART on an NVME disk?

[Martin Schröder]

Am Do., 15. Feb. 2024 um 18:35 Uhr schrieb Mikolaj Kucharski
:
> > === START OF READ SMART DATA SECTION ===
> > Current Drive Temperature: 0 C
> > Drive Trip Temperature:0 C
> >
> > Read defect list: asked for grown list but didn't get it
> > Error Counter logging not supported
> >
> > Device does not support Self Test logging

The smartmontools wiki declares support for NVME as experimental and says
"Currently OpenBSD NVMe driver does not provide NVMe pass-through functionality"

https://www.smartmontools.org/wiki/NVMe_Support#SmartmontoolsNVMesupport1

Best
Martin

Re: /var/unbound/db/root.key not world-readable, unbound fails to start

[Martin Schröder]

Am So., 10. Dez. 2023 um 02:48 Uhr schrieb Todd C. Miller :
> By default, /etc/login.conf has umask set to 022.  Is it more
> restrictive on your system?

Ah, yes. Mine is set to 077.

That would explain me being unable to start it via sudo.
And when I rebooted after a failed restart the permissions were probably kept,
so the next reboot didn't magically fix it. :-(

I added

Defaults umask_override
Defaults umask=0022

to /etc/sudoers

Thanks!

Best
Martin

/var/unbound/db/root.key not world-readable, unbound fails to start

[Martin Schröder]

Hi,
after the last erratas I rebooted my 7.4 and unbound failed to start because

unbound: [65439:0] error: unable to open /db/root.key for reading:
Permission denied
unbound: [65439:0] error: error reading auto-trust-anchor-file:
/var/unbound/db/root.key
unbound: [65439:0] error: validator: error in trustanchors config
unbound: [65439:0] error: validator: could not apply configuration settings.
unbound: [65439:0] error: module init for module validator failed
unbound: [65439:0] fatal error: failed to setup modules

And yes:

> l /var/unbound/db/root.key
-rw---  1 root  _unbound  758 Dec 10 02:16 /var/unbound/db/root.key

I patched rc.unbound to do a chmod a+r:

rc_pre() {
if grep '^[[:space:]]*auto-trust-anchor-file:' \
/var/unbound/etc/unbound.conf > /dev/null 2>&1; then
/usr/sbin/unbound-anchor -v
chmod a+r /var/unbound/db/root.key
fi
/usr/sbin/unbound-checkconf || return 1
}

And now unbound starts again.

Any idea what caused this?

Best
Martin
OpenBSD 7.4 (GENERIC.MP) #2: Fri Dec  8 15:39:04 MST 2023

r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4261076992 (4063MB)
avail mem = 4112216064 (3921MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdffb7020 (7 entries)
bios0: vendor coreboot version "88a4f96" date 03/11/2016
bios0: PC Engines apu2
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S1 S2 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET
acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) 
UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD GX-412TC SOC, 998.18 MHz, 16-30-01, patch 07030105
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT
cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 
16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD GX-412TC SOC, 998.21 MHz, 16-30-01, patch 07030105
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT
cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 
16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: AMD GX-412TC SOC, 998.24 MHz, 16-30-01, patch 07030105
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT
cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 
16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: AMD GX-412TC SOC, 998.35 MHz, 16-30-01, patch 07030105
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,HWPSTATE,ITSC,BMI1,XSAVEOPT
cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 2MB 64b/line 
16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins
ioapic1 at mainbus0: apid 5 pa 0xfec2, version 21, 32 pins, remapped
acpihpet0 at acpi0: 14318180 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PBR4)
acpiprt2 at acpi0: bus 1 (PBR5)
acpiprt3 at acpi0: bus 2 (PBR6)
acpiprt4 at acpi0: bus 3 (PBR7)
acpiprt5 at acpi0: bus -1 (PBR8)
acpibtn0 at acpi0: PWRB(wakeup)
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
com0 at acpi0 COM1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo
com0: console
acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 

Re: mount softdep — does it improve the situation for unexpected shutdowns?

[Martin Schröder]

Am So., 5. Nov. 2023 um 19:33 Uhr schrieb Mike Fischer
:
> However the default /etc/fstab does not make use of it.

>From the 7.4 release notes:
--
Make the softdep mount(8) option a no-op. Softdep was a
  significant impediment to improving the vfs layer.
--

Methinks the man page could mention that.

Best
Martin

ftp.openbsd.org: tlsv1 alert protocol version

[Martin Schröder]

Hi,
downloading the latest patches on 7.4 fails with

> curl --verbose 
> https://ftp.openbsd.org/pub/OpenBSD/patches/7.4/common/001_xserver.patch.sig
*   Trying [2620:3d:c000:178::81]:443...
* Connected to ftp.openbsd.org (2620:3d:c000:178::81) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.8.2: error:1400442E:SSL
routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.8.2: error:1400442E:SSL
routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version

Best
 Martin

Re: AAAA entry for openbsd.org

[Martin Schröder]

Am Mo., 23. Okt. 2023 um 17:14 Uhr schrieb Theo de Raadt :
> Martin Schröder  wrote:
>
> > Am Mo., 23. Okt. 2023 um 16:54 Uhr schrieb Theo de Raadt 
> > :
> > > So many, many words demanding that I configure my networks for ipv6.
> >
> > "is there any reason openbsd.org still has no  entry at the end of 
> > 2023?"
> >
> > So the reason is "Theo doesn't want to configure his networks for v6"?
>
> Martin, what is the reason for your response?

I'm using OpenBSD, I've configured my network for v6 and I think the
question is valid
and hasn't received an answer. And I would accept a simple "yes" as an
answer from you.

Best
Martin

Re: AAAA entry for openbsd.org

[Martin Schröder]

Am Mo., 23. Okt. 2023 um 16:54 Uhr schrieb Theo de Raadt :
> So many, many words demanding that I configure my networks for ipv6.

"is there any reason openbsd.org still has no  entry at the end of 2023?"

So the reason is "Theo doesn't want to configure his networks for v6"?

Best
 Martin

Re: how to startx with kde?

[Martin Schröder]

Am Sa., 22. Juli 2023 um 23:15 Uhr schrieb Greg Thomas
:
> Have you read:
>
> https://www.openbsd.org/faq/faq11.html

Where does that mention KDE?

Best
Martin

P.S.: Please learn to quote

Re: ntpd and ppm

[Martin Schröder]

Am Di., 4. Juli 2023 um 23:20 Uhr schrieb J Doe :
> I checked: man ntpd and: man 2 adjfreq, and while: man 2 adjfreq
> mentions the same unit - "ppm" - it doesn't explain what that means.
>
> What does "ppm" stand for ?

microseconds per second.

PC Engines APU platform EOL

[Martin Schröder]

https://www.pcengines.ch/eol.htm

The end is near for APUs :-(

Best
Martin

Re: 7.3: speetest doesn't work

[Martin Schröder]

Am So., 16. Apr. 2023 um 15:49 Uhr schrieb Stuart Henderson
:
> At this point I think you might be better served by dumping the
> package list, uninstalling them all, and reinstalling with 022 umask.
>
> Borrowing the old instructions from the 5.5 time_t flag day release
> notes, this also keeps the "auto installed" / "manually installed"
> markers (so that pkg_delete -a still behaves how you want):
>
> pkg_info -mq >/root/pkg_list_manual
> pkg_info -q >/root/pkg_list_full
> pkg_delete -X /var/db/pkg/*-firmware-[0-9]*
> pkg_add -z -l /root/pkg_list_manual
> pkg_add -za -l /root/pkg_list_full

Thanks, that helped.

Best
Martin

Re: 7.3: speetest doesn't work

[Martin Schröder]

Am So., 16. Apr. 2023 um 15:38 Uhr schrieb Stuart Henderson
:
> So let's also add "newly created directories" to the list of things
> where umask messes up pkg_add ;) In this case, it will be
> /usr/local/lib/python3.10/encodings/

Probably more. In the end I did
sudo chmod -R go+rX /usr/local/lib/python3.10/
as
   sudo chmod -R go+rX /usr/local/lib/python3.10/encodings/

wasn't enough. :-(

Best
Martin

7.3: outdated mandoc.db lacks mutt(1) entry, run makewhatis /usr/local/man

[Martin Schröder]

Hi,
after upgrading to 7.3 man is somehow confused:

> man mutt
man: /usr/local/man/mandoc.db: Permission denied
man: outdated mandoc.db lacks mutt(1) entry, run makewhatis /usr/local/m

Neither
   makewhatis /usr/local/man
nor
   sudo makewhatis /usr/local/man
helps. :-(

How to fix?

Thanks in advance
 Martin

Re: 7.3: speetest doesn't work

[Martin Schröder]

Am So., 16. Apr. 2023 um 14:56 Uhr schrieb lux :
>
> On Sun, 2023-04-16 at 14:41 +0200, Martin Schröder wrote:
> >
> > Fatal Python error: init_fs_encoding: failed to get the Python codec
> > of the filesystem encoding
> > Python runtime state: core initialized
> > ModuleNotFoundError: No module named 'encodings'
> >
>
> Is speedtest-cli installed via pkg_add?

pkg_add

> It looks like it was installed via pip or source package before the
> upgrade.
>
> I think you should reinstall speedtest-cli or re-build.

> sudo pkg_delete speedtest-cli
speedtest-cli-2.1.4beta1: ok
Read shared items: ok
[20230416T15:04:12+0200(106/15)] ms@wyvern 1032:~
> speedtest-cli --secure
-bash: /usr/local/bin/speedtest-cli: No such file or directory
[20230416T15:04:25+0200(106/15)] ms@wyvern 1033:~
> sudo pkg_add speedtest-cli
quirks-6.121 signed on 2023-04-15T20:15:19Z
speedtest-cli-2.1.4beta1: ok
[20230416T15:04:36+0200(106/15)] ms@wyvern 1034:~
> speedtest-cli --secure
Could not find platform independent libraries 
Could not find platform dependent libraries 
Consider setting $PYTHONHOME to [:]
Python path configuration:
  PYTHONHOME = (not set)
  PYTHONPATH = (not set)
  program name = '/usr/local/bin/python3.10'
  isolated = 0
  environment = 1
  user site = 1
  import site = 1
  sys._base_executable = '/usr/local/bin/python3.10'
  sys.base_prefix = '/usr/local'
  sys.base_exec_prefix = '/usr/local'
  sys.platlibdir = 'lib'
  sys.executable = '/usr/local/bin/python3.10'
  sys.prefix = '/usr/local'
  sys.exec_prefix = '/usr/local'
  sys.path = [
'/usr/local/lib/python310.zip',
'/usr/local/lib/python3.10',
'/usr/local/lib/lib-dynload',
  ]
Fatal Python error: init_fs_encoding: failed to get the Python codec
of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'

Current thread 0x0194a7b6c660 (most recent call first):
  

7.3: speetest doesn't work

[Martin Schröder]

Hi,
after sysupgrade to 7.3 and pkg_add -u and reboot:

> speedtest-cli --secure
Could not find platform independent libraries 
Could not find platform dependent libraries 
Consider setting $PYTHONHOME to [:]
Python path configuration:
  PYTHONHOME = (not set)
  PYTHONPATH = (not set)
  program name = '/usr/local/bin/python3.10'
  isolated = 0
  environment = 1
  user site = 1
  import site = 1
  sys._base_executable = '/usr/local/bin/python3.10'
  sys.base_prefix = '/usr/local'
  sys.base_exec_prefix = '/usr/local'
  sys.platlibdir = 'lib'
  sys.executable = '/usr/local/bin/python3.10'
  sys.prefix = '/usr/local'
  sys.exec_prefix = '/usr/local'
  sys.path = [
'/usr/local/lib/python310.zip',
'/usr/local/lib/python3.10',
'/usr/local/lib/lib-dynload',
  ]
Fatal Python error: init_fs_encoding: failed to get the Python codec
of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'

Current thread 0x0beeef85d660 (most recent call first):
  

dmesg is at https://www.oneiros.de/privat/openbsd/dmesg73.txt

Thanks in advance
Martin

Re: All my Rust programs stop working on OpenBSD 7.3

[Martin Schröder]

Am Mo., 10. Apr. 2023 um 18:10 Uhr schrieb Sebastien Marie :
> On Mon, Apr 10, 2023 at 11:49:50PM +0800, Siegfried Levin wrote:
> > After I upgraded my OS from 7.2 to 7.3 with sysupgrade like 8 hours ago, 
> > all my programs written in Rust broke, including cargo installed with 
> > pkg_add on 7.2. I fixed Cargo by “pkg_add -u rust” and then recompiled some 
> > of my projects. Now they are having segment faults. Does anyone having the 
> > same error?
>
> you need to rebuild your locally built programs with rustc from 7.3.

Sounds like something the upgrade guide should mention...

Best
Martin

Re: Creating a "multicast bridge"?

[Martin Schröder]

Am Do., 6. Apr. 2023 um 15:27 Uhr schrieb Why 42? The lists account.
:
> I'd like to create a "bridge" between two IP networks which will pass
> only multicast info. / traffic.

So it should only route FF00::/8?

Best
Martin

Re: OpenBSD as a transparent switch filter

[Martin Schröder]

Am Mi., 25. Jan. 2023 um 00:45 Uhr schrieb David Gwynne :
> I think you can do this on OpenBSD with https://github.com/eait-itig/commarp 
> and just routing on em0. I don’t think any layer 2 things like bridge or veb 
> are needed, and probably won’t work anyway because as Claudio said, they 
> don’t want to hairpin anyway.

But arp only works for vintage-ip.

Best
Martin

Re: Unbound fails to resolve some domains

[Martin Schröder]

Am Mi., 11. Jan. 2023 um 21:06 Uhr schrieb Rodrigo Readi :
> It stopped to resolve some domains, for example qwant.com

All fine here.

> Any Idea what is happening?

Not without some logs.

Best
Martin

Re: [SPAM?] Is CRONTAB(5) random really random ?

[Martin Schröder]

Am Do., 5. Jan. 2023 um 18:16 Uhr schrieb Rachel Roch :
> Especially given three of my crontab fields are supposed to be random 
> (minute, hour, day-of-month) I would expect to see at least one of the three 
> to be different ?!?

AFAIK there is only one random value and it's created at startup of the daemon.

Best
Martin

Re: 7.2: unbound(timeout) on startup

[Martin Schröder]

Am Do., 10. Nov. 2022 um 11:22 Uhr schrieb Stuart Henderson
:
> On 2022-11-09, Martin Schröder  wrote:
> > Am Do., 10. Nov. 2022 um 00:02 Uhr schrieb Martin Schröder 
> > :
> >> This happens only on bootup of the machine... :-(
> >
> > I've tried hard to get any log messages for this, but failed so far.
> > Neither setting a log file for unbound nor "unbound_flags=-d -d"
> > produced any output.
>
> If you use dnssec validation, it's probably the rc-script trying
> to fetch the anchor.

I do, so it's very possible. Any idea how to get logging from there
during bootup?

Best
Martin

Re: 7.2: unbound(timeout) on startup

[Martin Schröder]

Am Do., 10. Nov. 2022 um 00:25 Uhr schrieb Jan Stary :
> With my current ISP, putting
>
> ifconfig pppoe0 down
>
> into rc.shutdown makes the subsequent boot faster with respect to pppoe.
> I suspect it's waht you say: the session gets "terminated properly"
> somehow; without it, it takes longer before the ISP assigns me
> an address.

That helped, thanks!

> !while ! ifconfig pppoe0 | grep -F 185.63.96.79; do date ; sleep 10; done
>
> at the end oh hostname.pppoe makes sure services only start
> after I have an address; and dmesg -s shows the waiting, if any.
> (Of course, I know the address here - tweak as needed.)

What happens when your pppoe doesn't come up?

Best
Martin

Re: 7.2: unbound(timeout) on startup

[Martin Schröder]

Am Do., 10. Nov. 2022 um 00:02 Uhr schrieb Martin Schröder :
> This happens only on bootup of the machine... :-(

I've tried hard to get any log messages for this, but failed so far.
Neither setting a log file for unbound nor "unbound_flags=-d -d"
produced any output.

Best
Martin

Re: 7.2: unbound(timeout) on startup

[Martin Schröder]

Am Mi., 9. Nov. 2022 um 23:51 Uhr schrieb Stuart Henderson
:
> On 2022-11-09, Jonathan Thornburg  wrote:
> The only times I've seen ISPs take more than a few seconds to do pppoe
> (unless they're broken) are if they have an old session hanging around
> from a reboot or crash where the previous session wasn't terminated
> cleanly.

This happens only on bootup of the machine... :-(

Best
Martin

Re: 7.2: unbound(timeout) on startup

[Martin Schröder]

Am Mi., 9. Nov. 2022 um 21:25 Uhr schrieb Jonathan Thornburg
:
> --- begin /etc/hostname.em0 ---
> inet autoconf
> --- end /etc/hostname.em0 ---

Well, this is DTAG vDSL, so I have

-- begin /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev vlan7 authproto pap \
authname foo authkey bar \
up
dest 0.0.0.1
inet6 autoconf
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
-- end /etc/hostname.pppoe0

-- begin /etc/hostname.vlan7
vnetid 7 parent em1 up
-- end /etc/hostname.vlan7

-- begin /etc/hostname.em1
up
-- end /etc/hostname.em1

And I have

-- begin /etc/resolv.conf.tail
lookup file bind
family inet6 inet4
-- end /etc/resolv.conf.tail

> Does the -d unbound flag give any useful output for you?  More generally,
> how are you starting unbound, i.e., what (if any) flags are you passing in
> /etc/rc.conf.local?  I have

None.

I suspect that pppoe is a bit slow at startup, so unbound somehow times out
but has no problems once the network setup/the machine is stable.

Best
Martin

7.2: unbound(timeout) on startup

[Martin Schröder]

Hi,
since upgrading my router to 7.1 unbound doesn't start up automatically anymore,
instead it times out:

starting early daemons: syslogd pflogd unbound(timeout) ntpd.

It can be started successfully manually later. This setup worked with 7.0.

System is an apu acting as a firewall/router for my home network; outside
connectivity is German Telecom DSL via pppoe.

dmesg: http://oneiros.de/privat/openbsd/dmesg.txt
unbound.conf: http://oneiros.de/privat/openbsd/unbound.conf

Any idea how to debug or fix this?

Thanks in advance
Martin

Verbose messages from pppoe(4)?

[Martin Schröder]

Hi,
I'm using pppoe to connect to my provider via DSL on 7.1.
Since yesterday my connection has been very flaky.

Is there a way to get more information about the connection state changes etc.?
Currently I only see the occasional

/bsd: pppoe0: LCP keepalive timeout

in /var/log/messages

I tried the debug setting in/etc/hostname.pppoe0, but that gives much
too much information.

Thanks in advance
Martin

Re: How to track system changes?

[Martin Schröder]

Am Mo., 4. Apr. 2022 um 17:50 Uhr schrieb Ian Darwin :
> Yes, in fact, *everyone* else is. /etc/changelist lists files that are 
> monitored.
> You will get an email if they change, e.g., if a program surprisingly becomes 
> setuid.
>
> I imagine that this is documented someplace.

man security
man changelist

Best
Martin

Re: Release schedule/general product engineering

[Martin Schröder]

Am Do., 22. Apr. 2021 um 09:28 Uhr schrieb Andrew Grillet
:
> I wanted to know approximately when the next release would be available

http://www.openbsd.org/faq/faq1.html#WhatIs

"The OpenBSD team makes a new release approximately every six months,
with the target release dates in May and November."

Best
Martin

Re: Impact of 002_icmp6.patch

[Martin Schröder]

Am Fr., 30. Okt. 2020 um 13:36 Uhr schrieb Florian Obser :
> On Fri, Oct 30, 2020 at 11:58:41AM +0100, Martin Schröder wrote:
> > I'd much prefer that the project adopted a" v6 first, vintage ip
> > second" approach.
> > But I'm not a dev.
>
> ... you are saying if you were a dev things would be better?

Now who's putting words in whose mouth? :-)

I respect your decisions. And since I'm not a dev, my words don't
carry much value here.

> Thanks for ignoring all the hard work we put into making IPv6 better
> in OpenBSD.

I'm not. Thanks for your work.

Best
Martin

Re: Impact of 002_icmp6.patch

[Martin Schröder]

Am Fr., 30. Okt. 2020 um 11:54 Uhr schrieb Denis Fondras :
> Please, fix your tweet. The default install answer for IPv6 is 'none'.

This borders on "switch off v6 for security reasons", which would be just wrong.

I'd much prefer that the project adopted a" v6 first, vintage ip
second" approach.
But I'm not a dev.

Best
Martin

Re: It's been awhile

[Martin Schröder]

Am Mi., 17. Juni 2020 um 17:06 Uhr schrieb Rasmus Liland :
> Try to buy sticker_40_w for 7€ from here:
> https://kd85.com/notforsale.html

Note that the project will probably get no money from that site.
If you want more context, search the list.

Best
Martin

Re: How do I set up a Wi-Fi access point (using APU2)?

[Martin Schröder]

Am Fr., 5. Juni 2020 um 19:14 Uhr schrieb infoomatic :
> it seems you skipped the firewall part of the document you were
> referring, you need NAT connections.

Or you do IPv6 instead of vintage-IP.

Best
Martin

Re: Filling a 4TB Disk with Random Data

[Martin Schröder]

Am Fr., 5. Juni 2020 um 09:21 Uhr schrieb Roderick :
> Is not there a SCSI command "sanitize" for that?

Secure erase: 
https://en.wikipedia.org/wiki/Parallel_ATA#HDD_passwords_and_security

Or you encrypt your device and throw away the key.

Best
Martin

/bsd: atascsi_passthru_done, timeout

[Martin Schröder]

Hi,
my firewall (APU2 with 6.7) shows this in messages ca. every other day.

smartctl shows the only disc is healthy, system is behaving fine.
Should I be worried?

dmesg is at https://paste.opensuse.org/11922555

Best
Martin

Re: Convert ffs1 to ffs2?

[Martin Schröder]

Am Mi., 20. Mai 2020 um 11:41 Uhr schrieb Михаил Попов :
> What is the best method to harden OpenBSD in a diskless mode?

Manually converting the fs to FFS2 using ed. That's what you are
interested in, right?

Re: More than 16 partitions

[Martin Schröder]

Am Do., 23. Apr. 2020 um 21:31 Uhr schrieb :
> No problem. Would it be too crude a suggestion that we go back to the
> content now...?

You didn't provide any patch.

Re: Wine for OpenBSD?

[Martin Schröder]

Am Sa., 11. Apr. 2020 um 13:19 Uhr schrieb Nikita Stepanov
:
> Wine for OpenBSD?

Your patch?

Re: FreeBSD daemon(8)-like command for OpenBSD

[Martin Schröder]

Am Do., 30. Jan. 2020 um 21:06 Uhr schrieb Patrick Kristiansen
:
> The process I need to run is written in Clojure and thus runs on the
> Java Virtual Machine. Do you have any suggestions on how to best go
> about making it "daemon-like"? I am not sure that I can call unveil(2),

There is jsvc/apache commons daemon.
Don't know how good that works on OpenBSD, though.

Best
Martin

Re: Suggestion: Replace Perl with Lua in the OpenBSD Base System

[Martin Schröder]

Am Di., 31. Dez. 2019 um 01:08 Uhr schrieb :
> Would it be desirable for the OpenBSD project to replace Perl with Lua
> in the base system? A smaller base afforded to by Lua will reduce the

IMNSHO no.

You are welcome to fork your OpenLuaBSD project, though.

Looking forward to your first release.

Best
Martin

Re: Tape drive

[Martin Schröder]

Am So., 17. Nov. 2019 um 23:56 Uhr schrieb Pietro Paolini
:
> OpenBSD .my.domain 6.3 GENERIC.MP#9 amd64

Not supported anymore; upgrade to at least 6.5

Best
Martin

Re: Tools for writers

[Martin Schröder]

Am Sa., 2. Nov. 2019 um 16:06 Uhr schrieb Oliver Leaver-Smith
:
> What tools do people find useful for writing on OpenBSD? By writing I mean 
> long form such as novels and technical books, including plot and character 
> development, outlining, and formatting for publishing (not all the same 
> application necessarily)

Some writers swear on Scrivener. It's proprietary and Mac/Win only, though.

Best
Martin

Re: Tools for writers

[Martin Schröder]

Am Mo., 4. Nov. 2019 um 09:39 Uhr schrieb Roderick :
> TeX produces dvi, a well documented and simple page description language.
> Then it is transformed to postscript or pdf.

Nope. pdfTeX was developed 25 years ago, LuaTeX 12 years ago. Both
write PDF directly.

Best
Martin

Re: IPv4 & IPv6 CIDR subnet calculator

[Martin Schröder]

Am Mi., 25. Sept. 2019 um 13:16 Uhr schrieb Mark Jamsek :
> Or use the -6 switch for IPv6 addresses:

Please make v6 the default and Vintage-IP available via -4. It's 2019 after all.

Best
Martin

Re: Prometheus node_exporter on OpenBSD - anyone managed ?

[Martin Schröder]

Am Fr., 20. Sept. 2019 um 10:36 Uhr schrieb Rachel Roch :
> pkg_add node_exporter ?

It's in current so 6.6 will have it.

Best
   Martin

want.html reachable from homepage?

[Martin Schröder]

Hi,
is there a clickpath from www.openbsd.org to want.html?

I had to use Google to find the page.

Best
Martin

Re: ISDN Card /PRI Card support on OpenBSD

[Martin Schröder]

2018-07-11 21:30 GMT+02:00 Paul de Weerd :
> Eicon was the brand, DIVA the model of one particular example I've
> actually had the "pleasure" of working with.  You can still find
> references on the web.  The web 1.0, that is.
>
> Now if you could get those to work using ppp, I have no clue.  But I
> think it's your best bet if you want to use your ISDN connectivity on
> OpenBSD in 2018 (which you don't).

I would try our an ISDN to USB adapter.
Or a Cisco 876, which seems to do ISDN to Ethernet. :-)

Best
   Martin

Re: ISDN Card /PRI Card support on OpenBSD

[Martin Schröder]

2018-07-11 18:48 GMT+02:00 Christian Weisgerber :
> (Once upon a time there was something called isdn4bsd, but I don't
> think it was ever officially integrated into OpenBSD, and that's
> from, oh, twenty years ago.)

IIRC it was one of the reasons for the start of MirBSD (which did ISDN).

Best
   Martin

Re: Date of yesterday

[Martin Schröder]

2018-04-09 20:58 GMT+02:00 Stephane HUC "PengouinBSD" :
> get the current timestamp, subtracting 86400 seconds is not reliable to
> get yesterday's date to the nearest second?

Did they teach leap seconds in your school yet?

Best
Martin

Re: UNIX Stackexchange - Community Promotion Ads - 2018

[Martin Schröder]

2018-02-25 18:29 GMT+01:00 Ingo Schwarze :
>  And no, i'm not going to create an account on some
> random site just for such a petty thing.

Stackoverflow is "some random website". :-)

Thanks. YMMD.

Best
Martin

Re: NAT for dual-WAN with public and private LAN

[Martin Schröder]

2018-02-17 15:08 GMT+01:00 miraculli . :
> I just got an second ADSL-uplink installed and now I try to reconfigure my
> pf.conf to load-balance NAT over both connections.

Just a reminder: NAT is not security and IPv6 should be the default.

https://youtu.be/v26BAlfWBm8

Best
Martin

Re: For a FFS on an SSD, which of "-o" nil, "sync" &/ "softdep" is more data-safe and fast?

[Martin Schröder]

2018-02-10 7:28 GMT+01:00 Rupert Gallagher :
> The only problem I've encountered is rsync unable to preserve the original 
> time of files: copied files have the time of the copy.

man rsync

-t, --times preserve modification times

You want
-a, --archive   archive mode; equals -rlptgoD (no -H,-A,-X)

Best
Martin

Re: [OT] how secure is 2 factor auth with a smartphone?

[Martin Schröder]

2017-12-14 3:16 GMT+01:00 Alceu Rodrigues de Freitas Junior
:
> What do you guys think about? Do you agree with the article author opinion?

It's probably more secure than your typical RSA token, which had
numerous security issues (including opening up the seeds!) in the last
years.

Best
   Martin

Re: Chip cheaper than chips

[Martin Schröder]

2017-12-04 11:05 GMT+01:00 Kevin Chadwick :
> dealing with Intel ME or AMD Ryzens bloat. Should I wait for everything
> to be ported to RISC and hope it is as stable and secure or wait for an
> ARM CISC chip, which probably won't happen?

I'll bite: Patches for a RISC-V port would probably be welcome.

Re: Any advice on a dedicated remote access server

[Martin Schröder]

2017-11-23 5:26 GMT+01:00  :
> https://www.soyoustart.com/us/essential-servers/

IPv4 only.

Re: OpenBSD 6.1 Release Notes

[Martin Schröder]

2017-04-19 21:00 GMT+02:00  :
> I'd like to help write them! What's your process/format for doing so?
>
> - Sent from Outlook for Android

Hint: It uses OpenBSD

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

[Martin Schröder]

2017-04-05 22:55 GMT+02:00 Flipchan :
> Ping Theo, couldnt someone create a needs improvments list n put it on like
> OpenBSD.org?

No. You've got an itch to scratch, fix that.

Best
   Martin

Re: Is randomizing UID/GUID would make sense?

[Martin Schröder]

2017-01-23 15:37 GMT+01:00 andrew fabbro <and...@fabbro.org>:
> On Fri, Jan 20, 2017 at 3:44 AM, Martin Schröder <mar...@oneiros.de>
wrote:
>> 2017-01-20 8:43 GMT+01:00 minek van <minek...@mail.com>:
>> > Or something would be broken with random UIDs/GUIDs, ex.: NFS? Would it
>> > only do pain?
>>
>> Yes.
>
> Not sure about that...it would certainly be a headache to change UIDs/GIDs
> if you already have them in place, but for setting up a new server/new
> accounts, nfs doesn't care what number you are (well, 0 excepted).  Whether
> the algorithm is "last used +1" or arc4random, you have the same
> sync/directory problems regardless.  That's for user accounts...service
> accounts might need a bit more thought.

And what if my UID/GUIDs are random on every host and server? Would
nfs handle that?

Best
   Martin

Re: Is randomizing UID/GUID would make sense?

[Martin Schröder]

2017-01-20 8:43 GMT+01:00 minek van :
> Could it bring more security if the UIDs/GUIDs would be random?

Why? What's the attack you want to defend against?

> Or something would be broken with random UIDs/GUIDs, ex.: NFS? Would it only 
> do pain?

Yes.

Re: OpenJDK and support for JCE Unlimited Strength Jurisdiction Policy

[Martin Schröder]

2016-12-14 14:09 GMT+01:00 Rubén Llorente :
> I used to think that OpenJDK already included the Unlimited Strength
Policies,
> so this is a bit confusing.

http://stackoverflow.com/q/1179672/821436 :-)

Best
   Martin

Re: Dell R930 server

[Martin Schröder]

2016-11-09 9:06 GMT+01:00 ludovic coues :
> I would say big data.
>
> Stackexchange have a pair of SQL Server, with 384Go of memory for
> stackoverflow and 768 for everything else, a Redis server with 256, a
> server for elasticsearch with 192 and same quantity for an HAProxy
> server.

None of this is the domain of OpenBSD and nobody in his right mind
wants to run Stackexchange on OpenBSD.

Or are you suggesting that SAP should port HANA to OpenBSD?

Best
   Martin

Re: OT: shell / terminal / console / tty / cua / getty

[Martin Schröder]

2016-10-21 12:04 GMT+02:00 Mihai Popescu :
> terminal: physical stuff, keyboard + screen + serial port for
> mainframe connection

Relevant: https://www.jwz.org/blog/2016/10/export-termaaa-60/

> enough. Also a link or a book indication for all this stuff will be
> fine.

We have man pages and wikipedia exists. :-)

Best
   Martin

Re: 4th nic for pcengines apu2

[Martin Schröder]

2016-10-19 14:24 GMT+02:00 Marko Cupać :
> Any other words of wisdom regarding my idea?

Safe yourself the trouble and get a similar machine with more NICs,
e.g. from Lanner.

Best
   Martin

Re: ARM64:s finally on the market, and flooding it. OpenBSD support?

[Martin Schröder]

2016-09-22 13:51 GMT+02:00 Tinker :
> What about running OpenBSD on these, do you have any idea when this should
> be possible?

https://www.openbsd.org/armv7.html
"A mailing list for ARM-based ports is available at a...@openbsd.org."

The devs are looking forward to getting the boards you are sending them.

Best
   Martin

Re: DigitalOcean and OpenBSD

[Martin Schröder]

2016-08-24 21:50 GMT+02:00  <li...@wrant.com>:
> Wed, 24 Aug 2016 20:37:22 +0200 Martin Schröder <mar...@oneiros.de>
>> You're not helping.
>>
> Neither are you, of course, needless to say.  Because you just won't get

Did you actually read his first mail? Do again and try to understand it.
Since you have no actual experience with DIgitalOcean and OpenBSD, you
should not have answered.

You don't have to prove that he is wrong, you know.

Re: DigitalOcean and OpenBSD

[Martin Schröder]

2016-08-24 16:48 GMT+02:00  :
> You did not provide any sensible detail, so consider this guess work.

You're not helping.

Re: LibreSSL on old OpenBSD

[Martin Schröder]

2016-08-12 23:28 GMT+02:00 Philip Guenther :
> Yes, the previous situation with  and 
> was confusing (code was including the wrong header and not getting the

Thanks. Finally an answer after days of shouting.

Best
   Martin

Re: Question about NTP server

[Martin Schröder]

2016-06-30 21:24 GMT+02:00 Leonardo Santagostini :
> 1) Is there some calculus for making those ntp boxes efficient in terms of
> not overstate (sorry, but english is not my mothers tongue) or right size
> the hardware.

A Rasberry Pi would suffice (but it's not supported by OpenBSD).
Any old server you have lying around will be more than enough.

> 2) Im wondering also to set up this boxes virtualized using KVM. I know
> that using RTC its a really pain in the ass, but maybe you can give me some
> advice for this config.

Don't virtualize your ntp servers.

Best
   Martin

Re: TLS now supported on openbsd.org?

[Martin Schröder]

2016-05-09 18:57 GMT+02:00  :
> - I don't know in modern browsers, but Links 2.12 say that the
> certificate is not valid. It's just old browsers, or firefox also
> have this same problem?

All's good. See
https://www.ssllabs.com/ssltest/analyze.html?viaform=on=www.openbsd.org

Re: openbsd.org, openssh.com server(s) down

[Martin Schröder]

2016-03-15 14:31 GMT+01:00 Rudolf Sykora :
> is it only I who cannot connect to either
> of openbsd.org and openssh.com, or

Nope.
http://www.downforeveryoneorjustme.com/openbsd.org

Best
   Martin

Re: Small FW boxes for CORP use (was: T40E APU?)

[Martin Schröder]

2016-03-11 22:42 GMT+01:00 Alan McKay :
> Ideally I'd like to get a redundant pair of FWs in 1U.
> But I need 4 NICs on each as a bare min.

Lanner FW-7525

Best
   Martin

Re: What hardware spec would I need to push 20 gigabit of network traffic on an OpenBSD server?

[Martin Schröder]

2015-10-27 20:24 GMT+01:00 Adam Thompson :
> You talk about storing the data - *writing* data to disk at 10Gbps
> (sustained) is currently in the realm of high-energy physics, with
> multi-million-dollar budgets for the storage arrays.  A 7200rpm disk can

And then there are SSDs. PCIE SSDs do up to 3000 MB/s write throughput.
https://www-ssl.intel.com/content/www/us/en/solid-state-drives/solid-state-drives-dc-p3608-series.html

And I'm sure there are tape libraries that can write that, too. :-)

Best
   Martin

Re: Recommended Industrial PCs?

[Martin Schröder]

2015-08-27 12:26 GMT+02:00 Martin Haufschild martin.haufsch...@uni-rostock.de:
 I forgot to say that we are looking for a fanless IPC.

You forgot to say a lot of things...

E.g. how fast will your communication line be? 1kb or 100gb?

Best
   Martin

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Martin Schröder]

2015-07-27 11:46 GMT+02:00 Quartz qua...@sneakertech.com:
 turning out rather difficult to find a case that's small enough to fit. I'd
 really like to use an itx system with multiple onboard ethernet jacks and
 cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure

A Lanner FW7525 or even an Alix APU don't seem to be much larger...

Best
   Martin

Re: Blob-free OpenBSD kernel needed

[Martin Schröder]

2015-06-09 18:48 GMT+02:00 Elias Diem li...@webconect.ch:
 I just wonder: Is there really such microcode available that
 is open source?

No.

Re: Robustness in ports fetch program?

[Martin Schröder]

2015-05-17 14:18 GMT+02:00 Alan Corey alan01...@gmail.com:
 I don't think it did this back in 5.0 days or maybe earlier.  I started
 with OpenBSD 2.7, I just usually attributed problems to being my fault.
 And I've always used the ports tree, not packages. Distfiles are often
 useful across OpenBSD versions, sometimes in FreeBSD, I've even built some
 under Linux.

 I didn't look at what FETCH_CMD was defined as by default, I just assumed
 defining something non-null changed it.  I did notice that when it retries
 it's wrongly assumed there's a problem with the first source and gone to
 another.

 Does every developer have perfect internet?  That's very frustrating, maybe
 counterproductive in testing.  Try a modem, you can probably find a free
 one.  Connection interruptions and resets happen many times a day.
 On May 17, 2015 1:22 AM, Marc Espie es...@nerim.net wrote:

 On Sat, May 16, 2015 at 10:31:24PM -0400, Alan Corey wrote:
  I'd seen this happen in 5.6 too, but I just caught an example of it in
  5.7.  My connection leaves a lot to be desired, but there's nothing I
  can do about that.  I normally have FETCH_CMD set to use wget once I
  get it installed but this was in doing a standard make install of a
  port.
 
  The first time the connection gets interrupted, but something thinks
  it should be done and checks the size.  That's wrong so it downloads
  it over again instead of just resuming the download.  It should only
  download it over again if the size matches but the CRC is wrong.
  Seems like anyway.
 
  ===  Verifying install for tcl-8.5.16 in lang/tcl/8.5
  ===  Checking files for tcl-8.5.16p0
   Fetch
   http://downloads.sourceforge.net/sourceforge/tcl/tcl8.5.16-src.tar.gz
  tcl8.5.16-src.tar.gz  60% |*|  2696 KB
 00:00
   Size does not match for tcl8.5.16-src.tar.gz
   Fetch
 http://ftp.openbsd.org/pub/OpenBSD/distfiles//tcl8.5.16-src.tar.gz
  tcl8.5.16-src.tar.gz  23% |**   |  1024 KB
 00:03 ETA

 The problem lies in ftp(1).

 Logic in the ports tree is fine. But there's nothing it can do there:
 somehow
 your ftp returns 0 (e.g., success), so the partial file gets removed.

 If you want to get it fixed, you may have to provide more input, as we
 obviously do not see that problem... First thing would be to override
 FETCH_CMD to remove the -V, so that you can show us what ftp says about
 things.  Tracing the code thru the program would help.

Re: my experience with openbsdstore.com

[Martin Schröder]

2015-04-12 20:12 GMT+02:00 Jason Adams adams...@gmail.com:
 On 04/11/2015 06:01 AM, IMAP List Administration wrote:
 The trouble began immediately. I chose electronic wire transfer as the 
 payment
 method,

 Its not 1929 any more. I'm utterly suprised the store still offers
 wire transfer.

Not everyone lives in a country that still believes mailing paper
scraps is the best way to transfer money.

In Europe electronic transfer is the norm. It's fast and cheap (note:
In the EU an electronic transfer in Euros across countries MAY NOT
cost more than a national transfer - which often is free. And if one
party is in a non-Euro country (like the UK) no exchange cost will be
added).

https://en.wikipedia.org/wiki/Wire_transfer#Regulation_and_price

Best
   Martin

Re: my experience with openbsdstore.com

[Martin Schröder]

2015-04-11 17:08 GMT+02:00 Bernd Schoeller ber...@fams.de:
 As a little defence to the OpenBSD store guys: the banking system in the UK
 is by far the crappiest I have seen in whole of Europe. The banks are all

Small wonder since Airstrip One seems to believe it's not in Europe.

Maybe the OpenBSD store should move to Europe proper.

Best
   Martin

Re: Exploiting PCI-based DMA in OpenBSD

[Martin Schröder]

2015-04-04 13:08 GMT+02:00 Артур Истомин art.is...@yandex.ru:
 https://github.com/carmaa/inception/blob/master/README.md

 Is OpenBSD susceptible to this attack? I mean not tool themself,
 I mean vector of attack.

There is no Firewrire support in OpenBSD, so no.
Btw: This is old news.

Re: Executable signing - a proposal

[Martin Schröder]

2015-03-31 9:52 GMT+02:00 Gareth Nelson gar...@garethnelson.com:
 2 - All executables on the system must be signed with that public key
 3 - Any executable not signed is essentially chmod -x

How does this help with interpreted code (e.g. shell, perl, python, java)?

Best
   Martin

Re: Very-small fully-functional systems?

[Martin Schröder]

2015-03-09 9:35 GMT+01:00 Alexandre Ratchov a...@caoua.org:
 The RasberyPi is said (search linux audio lists) to be unusable
 because of the poor quality hardware.

There's additional hardware that is said to work quite well:
https://www.hifiberry.com/

Best
   Martin

Re: CPU criteria for OpenBSD firewall

[Martin Schröder]

2015-02-19 10:58 GMT+01:00 Alexander Salmin alexan...@salmin.biz:
 Good luck, when you have time I also recommend that you read this.
 https://calomel.org/network_performance.html

The consensus here seems to be to warn against any tweaks etc. by calomel.

Re: CPU criteria for OpenBSD firewall

[Martin Schröder]

2015-02-19 16:33 GMT+01:00 Dmitrij D. Czarkoff czark...@gmail.com:
 It would be nice if someone with expertise could write a detailed
 explanation of the issues with that article...

Thou art not supposed to twiddle with your config.

Re: FAQ: My mission is to make it up into /src/lib/libssl/...

[Martin Schröder]

2015-01-11 22:39 GMT+01:00 David Christensen dpchr...@holgerdanske.com:
 Is this a statement by the OpenBSD project, or has the page been defaced?

It's intentional:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/www/faq/index.html.diff?r1=1.374r2=1.375

Best
   Martin

Re: OpenBSD projects

[Martin Schröder]

2014-12-26 18:42 GMT+01:00, jungle Boogie jungleboog...@gmail.com:
 Here's a list of projects that I'm aware of that openBSD created. Is
 that correct? (p) is for portable. What else am I missing?

opencvs

Best
Martin

Re: OpenBSD Trademark Policy

[Martin Schröder]

2014-12-06 9:45 GMT+01:00 Riley Baird
bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch:
 I have a few questions about OpenBSD's trademark policy. (I tried
 looking, but I couldn't find a document.)

Is OpenBSD actually a registered trademark? The USPTO doesn't list it.
FreeBSD is, though.

Best
   Martin

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

[Martin Schröder]

2014-12-03 18:49 GMT+01:00 Alan McKay alan.mc...@gmail.com:
 Does anyone know of a similar device with 2 NICs that might be
 suitable as a home firewall?

Yes. There are archives of this list.

Re: 64-bit amd64 : actual memory limitations?

[Martin Schröder]

2014-10-26 20:02 GMT+01:00 Mayuresh Kathe mayur...@devio.us:
 64-bit supposedly supports upto 16 exabytes of memory ('ram').

Current hardware supports only 2^48...

https://en.wikipedia.org/wiki/X86-64#Physical_address_space_details

Best
   Martin

Re: Wireless PCIe (Host AP mode) recommendations

[Martin Schröder]

2014-10-26 22:31 GMT+01:00 Gordon Turner tur...@ftn.net:
 Rosewill RNX-G300LX
 (http://www.newegg.ca/Product/Product.aspx?Item=N82E16833166021)
 - Up to 54Mbps
 - Chipset RaLink RT2561/RT61
 - Supported by ral
 http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/ral.4?query=ralsec=4

That's PCI, not PCIe.

Best
   Martin

Re: 64-bit amd64 : actual memory limitations?

[Martin Schröder]

2014-10-27 1:56 GMT+01:00 Mayuresh Kathe mayur...@devio.us:
 if the intended application actually requires larger memory to be
 accessible, would it be better to go for a non-x86-64 64-bit hardware?

256TB (2^48) should be good enough till 2020.

Re: 64-bit amd64 : actual memory limitations?

[Martin Schröder]

2014-10-27 3:37 GMT+01:00 Mayuresh Kathe mayur...@devio.us:
 From owner-misc+m143...@openbsd.org  Sun Oct 26 22:22:57 2014

Fix your mail client, please.

 256TB (2^48) should be good enough till 2020.

 it is for a lot of records (data-sets) to held in memory instead
 of approaching the disk every time that data is requested.
 the use-case is primarily for financial system, but, will also
 hold 'gis' data going forward.
 the owner of the system isn't rich enough to afford an 'ibm'
 mainframe, hence a unix based system written in c89 under openbsd.
 i am just the adviser/consultant. :)

Then think a second about how large 256 TB are. And how long your
machine will need to load 256 TB of data. And what 256 TB of RAM will
cost.

Today we see machines with 2TB.

SGI UV 2000 goes up to 64TB with 256 CPUs. I seriously doubt that we
will see OpenBSD in production on these machines. :-)

What exactly is your application?

Best
   Martin

Re: libressl

[Martin Schröder]

2014-10-22 16:33 GMT+02:00 Gregory Edigarov ediga...@qarea.com:
 openssl(1) is? For example ressl(1) would be the new high level interface
 with very few selected frequently used  functions, and openssl(1) with low
 level interface as it is  now

http://www.openbsd.org/papers/eurobsdcon2014-libressl.html

Best
   Martin

Re: Shadow TCP stacks

[Martin Schröder]

2014-10-17 10:24 GMT+02:00 Bret Lambert bret.lamb...@gmail.com:
 On Thu, Oct 16, 2014 at 02:48:22PM +0200, Martin Schr??der wrote:
 The impossibility to scan for services - which the NSA/GHCQ/... do.

 It's a good thing that traffic analysis isn't a thing, then. Otherwise
 they'd be able to check if traffic purporting to go to port 80/443
 doesn't look like HTTP traffic, or something.

That's not the scenario here. The scenario is defense against port scans.

You look like a fool who hasn't read the original paper.

Re: Shadow TCP stacks

[Martin Schröder]

2014-10-17 20:49 GMT+02:00 Bret Lambert bret.lamb...@gmail.com:
 Well, if, as Herr Schroeder seems to be implying, this is used to
 avoid port scans, I'd look for traffic to/from address:port which
 don't show up on scans.

That's certainly possible but more expensive than find all ssh servers.

Best
   Martin

Re: Shadow TCP stacks

[Martin Schröder]

2014-10-16 13:16 GMT+02:00 Kevin Chadwick ma1l1i...@yahoo.co.uk:
 I still don't see the benefit though but do see added complexity or
 more code to audit.

 Reducing DDOS against a visible SSH service maybe? Reduce password
 attempts on your logs allowing them to go after targets that might
 actually use passwords (port change also works there, I find)?

The impossibility to scan for services - which the NSA/GHCQ/... do.

Best
   Martin

Re: [Bulk] Re: Shadow TCP stacks

[Martin Schröder]

2014-10-16 2:22 GMT+02:00 Ian Grant ian.a.n.gr...@googlemail.com:
 Perhaps I have missed something but if you have a ssh tunnel or
 something then just put that in front of the service without increasing

 Moved to misc.

 Yes, you missed something: the point :-)

 The idea is that the existence of this entire 'ultranet' is
 undetectable by even someone snooping all national traffic. So a TCP
 port 80 connection looks to the snooper _exactly_ like an HTTP
 connection handshake. Only the ISN and the source address mark the

Or a service on a port is invisible unless a magic SYN packet appears.

Best
   Martin

Re: openbsdstore: enable javascript and buy something or gtfo

[Martin Schröder]

2014-10-03 16:09 GMT+02:00  david...@ling.ohio-state.edu:
 Strangely enough, this doesn't incline me to enable javascript.

Why?

Don't you trust the store?

Re: How to follow -stable and verify it with signify?

[Martin Schröder]

2014-10-01 3:02 GMT+02:00 Giancarlo Razzolini grazzol...@gmail.com:
 OpenBSD do not have any secure way to get things.

Buy a CD. If you don't trust the shop, have it somehow signed by a dev.

Best
   Martin

Re: OpenBSD 5.5: question regarding pf syntax

[Martin Schröder]

2014-09-28 22:49 GMT+02:00 Jack Woehr jwo...@softwoehr.com:
 BTW 3rd edition about to be released.

The ebook _has_ been released. :-)

Best
   Martin

Re: rsync -a doesnt keep owner and permissions

[Martin Schröder]

2014-08-21 8:47 GMT+02:00 Markus Rosjat ros...@ghweb.de:
 Just a short heads up how I did it now and you guys might want to share your
 opinion on the security with this scenario.

 maschine A (from were I want to pull files):
 - root cant login over ssh
 - sync user can only connect with auth key and from host B
 - sync user is allowed to run rsync without pw (sudoer file)

The setup I use
- a separate non-privileged user
- a forced command (via the ssh key without password) to a script that
  checks the incoming command and then calls sudo rsync

So someone controlling machine B can _read_ everything, but write
nothing.

Best
   Martin

#!/usr/bin/env bash
# $Id: rrsync.sh,v 1.3 2007/07/01 12:40:14 remote-backup Exp $
case $SSH_ORIGINAL_COMMAND in
  *rsync --server --sender*)
logger -t rrsync $SSH_ORIGINAL_COMMAND
sudo $SSH_ORIGINAL_COMMAND
;;
  *)
echo Sorry, command rejected
exit 1
;;
esac
# vim: syntax=csh